Security Challenges Affecting The FinTech Industry
The global FinTech market, which is growing at a compounded annual growth rate of 22.2%, is expected to be worth a whopping USD 305.7 billion by 2023. The growing industry has been powered by high-valued and well-funded start-ups that complement the financial services technologies provided by traditional banks. The FinTech industry has adopted the mantra of “Consumer is King” while offering customers more convenience when carrying out financial transactions. It has provided consumers with alternatives not only in the payments sector but also in insurance, lending, investments, wealth management and capital markets. Innovations brought about due to the propagation of FinTech have disrupted all aspects of the financial services industry, forcing banks to rethink their strategies in order to keep up. Finance is, however, the most vulnerable area when it comes to both crime and cyber-crime. The growth is at lightning speed and the dynamic nature of the technology may have left industry players open to attack. In this article, we explore the various security challenges that the FinTech industry needs to overcome in order to continue its pace of growth.
Data Security: With FinTech, consumers now have easy access to a variety of financial solutions. This has been made possible due to the increased collaboration between financial institutions and third party service providers. Increased collaboration requires greater data sharing between the parties involved. However, the end-user has no knowledge of who is the rightful owner for their personal financial data and how ownership and access managed for each piece of data. For example, if I am using a mobile payment app to transfer money to a friend’s bank account, how much data does the app provider have about my bank account and till when is this data retained. In case of a mishap, a FinTech provider would always be at the risk of facing litigation from the consumer’s end. Even when seeking consent from the consumers for access to data, providers need to ensure that consumers are making informed choices about their particulars at a granular level.
Lack of regulation: While banks and traditional financial institutions are governed by a large number of regulations and compliance requirements, many of them do not apply to FinTech. The speed of innovations in FinTech has probably left the regulating bodies far behind. While the lack of regulations fuels the pace of FinTech innovations, there is always a risk that some ambitious FinTech entrepreneur may ignore security altogether. They may forget that any risk to the consumer’s transactions and data is a direct risk to their business, and growth cannot come at the cost of security.
Misuse of digital Identities: A person need not be physically present in order to use many of the FinTech applications. It’s the consumer’s responsibility to keep their digital identity secure. However, when things go wrong because of identity theft, the provider’s reputation takes a direct hit along with the consumer’s wallet. As such, FinTech applications need to take every step necessary to ensure that the consumer is who he/she claims to be. A combination of security tokens, one time passwords, and biometric authentication methods, as well as adaptive authentication, may be the solution to addressing identity theft problems.
Interfaces between systems: FinTech systems are driven by APIs or Application Programming Interfaces that connect various enterprise applications together. For example, if you have an insurance app that searches policies available from different providers, compare them, select one and then buy it all in one session, consider the number of APIs exposed by different providers this app is accessing. Each provider probably has an API to access details of each type of policy that it sells. Additionally, it would have 2-3 APIs to fulfil the purchase workflow. The FinTech provider thus needs to ensure that it is accessing all of these APIs in a secure manner. Any loophole in any of these interconnected systems could potentially impact multiple systems.
Resource Movement: Most start-ups are characterized by the dynamic nature of human resources. They may employ temporary staff and freelancers in addition to permanent staff who have a high rate of attrition. It may be very difficult to monitor if architects and programmers are using secure coding practices and adopting industry best practices to protect the application and application data from falling in the wrong hands. While an NDA may be signed by all employees and contractors, do companies have the resources to ensure that every member of their team is complying with the NDA?
While we have tried to highlight the most prominent security challenges, governance and regulation is still in the nascent stage when it comes to the FinTech industry. Those who have implemented strong boundaries will definitely be the long runners in the race and will set the path for others to follow.
David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments in the Greater China region and he is also an independent consultant at Cardzgroup.